Hi Tom,
Sounds like you are experiencing the same issue I had except I am still on 2008 R2 Sp1. You will definitely need to enable vpdebug and capture a scan. If you see "ScanThrottling: User is not Idle. Sleeping" through out the log try changing the scan tuning in SEPm to run scans at "Best scan performance" instead of balanced, or best application performance. This will tax your server resources but the scan improvement is dramatic and scans seem to stop getting stuck.
If you still notice slow or stuck scans there are some scan tuning reg keys to add to the server that force the defwatch scans (they can cause your scans to get stuck as well) to run at full speed instead of balanced. We had to do both here to get scans back on track. These were the keys for 64 bit windows servers (though I did not test on 2012):
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\Defwatch CScan Repair Options]
"ScanTuning"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\LocalScans\Defwatch QuickScan Options]
"ScanTuning"=dword:00000000
My thread in the forum is here for more details:
https://www-secure.symantec.com/connect/forums/couple-issues-after-upgrading-sepm-and-clients-121-ru5
Hope you get your issue resolved in a timely manner. Good luck.
Larry